A fresh variant of a sophisticated Android ransomware known as Mal Locker locks-up mobile devices – surfacing its ransom note when a user hits the Home button.
The malware also has a unique machine-learning module.
Says research from Microsoft, Mal Locker is spreading via malicious website downloads (disguised as popular apps, cracked games or video players) & peddled in online forums.
However, “the new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic & behaviour & yet manages to evade many available protections, registering a low detection rate against security solutions,” Microsoft researchers commented, in a Thurs. posting.
Android ransomware differs from its desktop counterparts by blocking access to the device with overlay screens containing ransom notes, that prevent users from taking any action. It does not actually encrypt anything. In Mal Locker’s case, the overlay screen is surfaced using never-before-seen techniques that use certain Android features.
It has an open-source machine-learning module used to automatically fit the overlay screen to the device.
Researchers observed that typical Android ransomware uses a special permission called “SYSTEM_ALERT_WINDOW.” The note is linked to that permission, so that whenever an app is opened that has the permission, the ransom note is presented, & cannot be dismissed.
“No matter what button is pressed, the window stays on top of all other windows,” researchers explained.
“The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.”
Mal Locker is different though: It uses the “call” notification, among several categories of notifications that Android supports, which requires immediate user attention. It combines this with the “onUserLeaveHint()” call-back method of the Android Activity, which is a bedrock Android function.
It surfaces the typical GUI screen that Android users see after closing an app, or when the user presses the Home key to put current activity to the background.
“The malware connects the dots & uses these 2 components to create a special type of notification that triggers the ransom screen via the call-back,” explains Microsoft. “The malware overrides the onUserLeaveHint() call-back function & triggers the automatic pop-up of the ransomware screen without…posing as system window.”
The analysis further added, “The malware creates a notification builder & builds a very important notification that needs special privilege. The setFullScreenIntent()…API wires the notification to a GUI so that it pops up when the user taps on it.”
Mal Locker’s machine-learning module indicates continuous evolution of this Android ransomware family, researchers commented.
“This ransomware is the latest variant of a malware family that has undergone several stages of evolution,” researchers outlined.
“We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine-learning module used by developers to automatically resize & crop images based on screen size, a valuable function given the variety of Android devices.”
The latest Mal Locker variant also shows that mobile threat players continuously attempt to sidestep technological barriers & creatively find ways to accomplish their goal & can open the door to new malware trends.
“This new mobile ransomware variant is an important discovery because the malware exhibits behaviours that have not been seen before & could open doors for other malware to follow,” Microsoft finally added.